This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added CVE-2019-12401

...

Table of Contents

Security Announcements

...

The following table lists the dependencies and associated CVEs which are not considered problems for Lucene or Solr.

Solr Versions

Jar or Path

Related CVEs

Date Added

Status & Notes

7.3.1-7.5.0

tika-core.1.17.jar (and earlier)

2018-1335

6 Jun 2018

Solr does not run tika-server, so this is not a problem.

7.3.1-7.5.0

tika-core.1.17.jar (and earlier)

2018-1338, 2018-1339

6 Jun 2018

These issues would only be exploitable if untrusted files are indexed with SolrCell. This is not recommended in production systems as indicated above. Additionally, Solr upgraded to Tika 1.18 in Solr 7.4.

4.7.0-7.3.1

jackson-databind-2.5.4.jar (and earlier)

2017-15095, 2017-17485, 2017-7525, 2018-5968, 2018-7489

6 Jun 2018

Jackson was upgraded to 2.9.5 in Solr 7.4.

7.3.1

lucene-analyzers-icu-7.3.1.jar

2014-7940, 2016-6293, 2016-7415, 2017-14952, 2017-17484, 2017-7867, 2017-7868

6 Jun 2018

All of these issues apply to the C++ release of ICU and not ICU4J, which is what Lucene uses.

6.0.0-7.5.0

icu4j-56.1.jar, icu4j-59.1.jar

2017-14952

6 Jun 2018

Issue applies only to the C++ release of ICU and not ICU4J, which is what Lucene uses. ICU4J is at v63.2 as of Lucene/Solr 7.6.0

6.6.1-7.6.0

hadoop-auth-2.7.4.jar, hadoop-hdfs-2.7.4.jar (all Hadoop)

2017-15718

6 Jun 2018

Does not impact Solr because Solr uses Hadoop as a client library.

4.9.0-7.5.0

commons-beanutils-1.8.3.jar

2014-0114

6 Jun 2018

This is only used at compile time and it cannot be used to attack Solr. Since it is generally unnecessary, the dependency has been removed as of 7.5.0.

5.5.5, 6.2.0-today

vorbis-java-tika-0.8.jar

2016-6809, 2018-1335, 2018-1338, 2018-1339

6 Jun 2018

See

https://github.com/Gagravarr/VorbisJava/issues/30

; reported CVEs are not related to OggVorbis at all.

~2.9-today

xercesImpl-2.9.1.jar

2012-0881

6 Jun 2018

Only used in Lucene Benchmarks and Solr tests.

6.6.2-today

velocity-tools-2.0.jar contains Apache Struts 2.0.0

link to CVEs

3 Nov 2018

Solr does not ship a Struts jar. This is a transitive POM listing and not included with Solr (see comment in SOLR-2849).

6.5.0-today

protobuf-java-3.1.0.jar

2015-5237

3 Nov 2018

Dependency for Hadoop and Calcite. ??

4.6.0-today

derby-10.9.1.0.jar


3 Nov 2018

Used only in DataImportHandler tests and example implementation, which should not be used in production.

4.6.0-7.6.0

junit-4.10.jar

2018-1000056

31 Dec 2018

JUnit only used in tests; CVE only refers to a Jenkins plugin not used by Solr.

4.6.0-today

dom4j-1.6.1.jar

2018-1000632

31 Dec 2018

Only used in Solr tests.

5.2.0-today

org.restlet-2.3.0.jar

2017-14868, 2017-14949

31 Dec 2018

Solr should not be exposed outside a firewall where bad actors can send HTTP requests.

4.6.0-today

commons-compress (only as part of Ant 1.8.2)

2012-2098, 2018-1324, 2018-11771

31 Dec 2018

Only used in test framework and at build time.

5.4.0-today

carrot2-guava-18.0.jar

2018-10237

31 Dec 2018

Only used with the Carrot2 clustering engine.

4.6.0-today

guava-14.0.1.jar

2018-10237

31 Dec 2018

??

5.4.0-today

simple-xml-2.7.1.jar

2018-1471

3 Jan 2019

Dependency of Carrot2 and used during compilation, not at runtime (see SOLR-769).

4.x-today

slf4j-api-1.7.24.jar, jcl-over-slf4j-1.7.24.jar, jul-to-slf4j-1.7.24.jar

2018-8088

6 Feb 2019

The reported CVE impacts org.slf4j.ext.EventData, which is not used in Solr.